In the past, as the programmer of reverse engineering, malware, such as viruses and now nuclear tools emerged as their incessant, security/ending point was such important areas. In this case, public security personnel need analysis technology is one of the most fundamental understanding in a structure called the PE Header information from a file, made fun of reverse engineering. (

1. the basics of program analysis

PE file format

First, the PE HEADER PE file format to help you understand what you need to understand.

PE file format is defined by the operating system instead of Windows Portable Executablefile format is an acronym for.

PE file format structure can write books with stores in here are different from the information they need, if you’re looking for a more in depth study is related to the MSDNbooks note is to inform in advance to.

We often on Windows PE file format of a tangent extension files that are created with the EXE, SCR, DLL, OCX, SYS, OBJ, and, except for a direct-to-run EXEfile type of OBJ, except indirectly(services, debugging, registry, etc)are a possible run as a file.

The following figure shows a long time ago and was released on MSDN PE file normally structure.

[Figure]: PE Header structure source : MSDN

The appearance of the picture provided by a few other places, but, they are identical to the required Header. On the picture on the left should be as mandatory as the picture of the State of the file is part of that, here’s how to distinguish between each end of each structure is Null Paddinghas been so that through.

So let’s take a look at the contents of the HEX editor for more details.

And [figure] PE Header structure in the illustration on the right when you are loading into memory location of the change in the file offsetof the memory is aVA (Virtual Address), Section to express as the size and location of a PE Headerto specify the location in memory to be loaded into the lead, at least the basic unit To change the location in memory to fit becomes.

And here is the PE to make it easier to distinguish the structure, people, PEViewand through pictures and descriptions PEBrowsewill add, once you take this opportunity to see featured readers beyond.

So, the overall structure of the PE file format briefly looked into, from now on, this should be PE Header and an important few DataDirectory (IAT, EAT, etc)and find out more about the.

DOS Header

DOS Headeris the actual file in the above figure for understanding how to write note back.

[Figure] HxDconfirmed DOS Header’s HEXvalue

The above picture of the contents of the square inside the box contents DOS Headeris. In DOS Stubis 40hcontains, since this is a DOSmode at run time, Guide serves as a window, and, even if a part has nothing to do. DOS Stub, DOSenvironment at present that the contents of the work space should be defined as 16Bit. And the DOS Header, underlined twoimportant for one member, MZcode(ASCII), the value of the member e_magic DOS Signatureby all PE file is the code to the beginning of the beginning 16Byteis. d0h Why NULL Paddingis related to the value of e_lfanew. And the end of the structure there are 000000E0 DOS Header, you must be a member of e_lfanew, the NT Headerwith Offsetvalue that is the starting position of the display. And PEcode(ASCII),you need the right today attention is PE Signature. PE Header structure in the information that you need for running Windowsthere are.

DOS Headerand move ahead to the DOS Headerstructure is like shown below.

typedefstruct _IMAGE_DOS_HEADER { // DOS . EXE header

WORD e_magic; // Magic number

WORD e_cblp; // Bytes on last page of file

WORD e_cp; // Pages in file

WORD e_crlc; // Relocations

WORD e_cparhdr; // Size of header in paragraphs

WORD e_minalloc; // Minimum extra paragraphs needed

WORD e_maxalloc; // Maximum extra paragraphs needed

WORD e_ss; // Initial (relative) SS value

WORD e_sp; // Initial SP value

WORD e_csum; // Checksum

WORD e_ip // Initial IP value

WORD e_cs; // Initial (relative) CS value

WORD e_lfarlc; // File address of relocation table

WORD e_ovno; // Overlay number

WORD e_res[4]; // Reserved words

WORD e_oemid; // OEM identifier (for e_oeminfo)

WORD e_oeminfo; // OEM information; e_oemid specific

WORD e_res2[10]; // Reserved words

LONG e_lfanew; // File address of new exe header

} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;

[Contents] IMAGE_DOS_HEADERstructure: Microsoft SDK WinNT.h

So learn about DOS Header, largely because it is important information here, more will be covered. Then head to the NT Header, which

NT Header

Now since PE Header, in other words, let’s take a look on IMAGE_NT_HEADERS.

NT Headerhas 1member and twoheaders exist, going on and on about each Member, let’s check out the/header.

First, a member of the 1. Signature Signatureof the DOS Header, PE (ASCII), as shown in the code will inform the beginning NT Header, then keep File Header, you must be a member of let me check the structure of the degree.

2. NumberOfSectioncurrent PE files have the Section means that the number of.

3. the TimeDateStampof the file becomes the value that indicates the time to building.

4. SizeOfOptionalHeaderdrill is described in the next IMAGE_OPTIONAL_HEADER32 is a value that indicates the size of the structure and, Finally, 5. Charcteristics member PE file has information about the properties available are detailed descriptions of the WinNT.h.

REGEDIT. EXE Characteristicsof value of 102his expressed as the value 0x0002, 0x0100, 32bit machine, as shown in the figure above, run the file that can be used to obtain information on the. The value of the Machinedescribed in front of 14chis Intel 386 compatible models indicate that the.

Thus the FileHeaderto, from now on is important, IMAGE_OPTIONAL_HEADER32let me take a look at the structure of the.

1. Magicis IMAGE_OPTIONAL_HEADER32 (32Bit), IMAGE_OPTIONAL_HEADER64 (64Bit)to distinguish whether the value, 32Bitif if 10bh, 64Bitwill have the value of 20bh. 2. SizeOfCodeis the file size of the .text Section, later to represent the .text Sectionhas the same value as the SizeOfRawDataof.

3. AddressOfEntryPointis the value of being exposed, a lot of programs are starting-point(Entry Point), and the relative address(Relative Virtual Address) represent the value. After completing the loading memory ImageBase + AddressOfEntryPointvalue assigned to the EIP register is to start program.

6. the ImageBaseis an in-memory file is loading has a starting address.

7. SectionAlignment, 8. FileAlignmentthe smallest unit of memory and file in the session, the session with a value that represents the size must be a multiple of FileAlignment SectionAlignment,must be filled with NULLbytes are padded.

9. the SizeOfImagewill be full size and loading into memory, 10. SizeOfHeaderin the file indicates the total size of the PE Header.

11. the Subsystemis based on the driving experience of the program indicated by value has been defined in WinNT.h.

16under oneDirectory Entryof important items were displayed in bold type below. Saw 4different items is necessary in the sense required by the PE Headeras a key part of IAT (Import Address Table), EAT (Export Address Table)and has a large connection. IAT, EATbelow Section Headerwill discuss since demonstrated. Aside from a couple of more, but aside from studying the hope show. To put it briefly, the baby in advance, the PE file provides some library/location and size of the table, you define whether the DataDirectoryis located at..

DataDirectory[0] – IMAGE_DIRECTORY_ENTRY_EXPORT

(+0x60) VirtualAddress: 0x00000000

(+0x64) Size: 0x00000000

DataDirectory[1] – IMAGE_DIRECTORY_ENTRY_IMPORT

(+0x68) VirtualAddress: 0x0001A564

(+0x6C) Size: 0x00000154

DataDirectory[2] – IMAGE_DIRECTORY_ENTRY_RESOURCE

(+0x70) VirtualAddress: 0x0005F000

(+0x74) Size: 0x00003488

DataDirectory[3] – IMAGE_DIRECTORY_ENTRY_EXCEPTION

DataDirectory[4] – IMAGE_DIRECTORY_ENTRY_SECURITY

DataDirectory[5] – IMAGE_DIRECTORY_ENTRY_BASERELOC

DataDirectory[6] – IMAGE_DIRECTORY_ENTRY_DEBUG

DataDirectory[7] – IMAGE_DIRECTORY_ENTRY_ARCHITECTURE

DataDirectory[8] – IMAGE_DIRECTORY_ENTRY_GLOBALPTR

DataDirectory[9] – IMAGE_DIRECTORY_ENTRY_TLS

DataDirectory[10] – IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG

DataDirectory[11] – IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT

DataDirectory[12] – IMAGE_DIRECTORY_ENTRY_IAT

(+0xC0) VirtualAddress: 0x00001000

(+0xC4) Size: 0x00000580

DataDirectory[13] – IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT

DataDirectory[14] – IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

DataDirectory[15]

[Content] PEBrowse DataDirectorystructures

Section Header

This IMAGE_OPTIONAL_HEADER32with the NT Header,PE Header,which is the end of the Section Headerto determine the structure of, and let.